Tomas, I don't understand. If I chroot then I can't do much at all right? Unless I replicate/link like the entire system, minus login.
su/wheel group/sudo doesn't prevent simple running of login and typing the root password, right? Am I missing something? Maybe that ssh-only access to myself is good enough? Once I am me on the machine, there's no need for an obstacle to be root? And then su from there to root? I don't need to ssh as root? But if I allow others to ssh in, and don't limit them with chroot, then a password is needed. They won't be able to su/sudo, but they can still login. Right? So I'm back to the earlier point. Thanks, - Jay ---------------------------------------- > Date: Fri, 22 Oct 2010 13:11:44 +0300 > Subject: Re: password-less console-only access and ssh remote access? > From: tomas.bod...@gmail.com > To: jay.kr...@cornell.edu > CC: bret.lamb...@gmail.com; misc@openbsd.org > > On Fri, Oct 22, 2010 at 1:01 PM, Jay K wrote: > >> You can get almost the same thing by setting "PasswordAuthentication" to > > "no" > >> in your sshd_config file, and hand out empty or ridiculously simple > > passwords > >> for the console (honestly, who would forget "yermomsawhore" as a > > password?). > > > > > > How do I limit their use to the console? > > > > If say I ssh in as non-root and then login root? > > You can chroot those logins and why they need root? You don't need to > allow use of su for them, they don't need to be in wheel group and you > can set in sudo only 'must need' apps for them. > > > > > ssh surely isn't the sole gatekeeper for login? > > > > (Granted, I am NOT running ftpd or telnetd; though > > > > at some point I'd like smbd/nfsd, hopefully > > > > both secure and convenient, hopefully using ssh somehow...). > > > > > > > > Thanks, > > > > - Jay
